During a penetration test of a smart-lighting system, you capture clear-text MQTT traffic on TCP port 1883 that shows every fixture authenticating with the hard-coded credential "admin/admin." Firmware updates that add TLS and credential management will not be ready for several months. Which compensating control will most effectively reduce the chance that an attacker on the corporate LAN can hijack the lights during this period?
Deploy a signature-based IDS rule that triggers on the string "admin" in MQTT payloads.
Implement DNS sinkholing to block external queries from the lighting controllers.
Isolate the lighting controllers and MQTT broker in their own VLAN and restrict inter-VLAN routing to approved management hosts only.
Enable sticky MAC and limit each switch port to a single learned address.
Moving the vulnerable IoT devices and their MQTT broker to a dedicated VLAN (or other isolated network segment) and enforcing ACLs so that only authorized management stations can reach that segment contains any compromise to that enclave. Because the traffic remains unencrypted and the credentials cannot be changed, measures such as port security or simple IDS signatures do not stop an attacker who can reach the broker, and blocking DNS is irrelevant to MQTT traffic that uses IP addresses. Network segmentation is the primary interim countermeasure recommended by NISTIR 8228 and OWASP when patching or strong authentication cannot yet be applied.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is MQTT and why is it used in IoT?
Open an interactive chat with Bash
What is VLAN and how does it improve security?
Open an interactive chat with Bash
Why does NISTIR 8228 recommend segmentation as a critical control for IoT?
Open an interactive chat with Bash
What is a VLAN and why is it effective for isolating IoT devices?
Open an interactive chat with Bash
Why is TLS important for MQTT traffic, and how does it improve security?
Open an interactive chat with Bash
What does NISTIR 8228 recommend for securing IoT devices when patching isn't possible?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Mobile Platform, IoT, and OT Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .